Responsible disclosure policy

The safety of the website is for the organizers of the ONE Conference very important. Despite our concern for the security, weak points can still remain. Have you found such a weak point? Let us know.

Doing so is called ‘responsible disclosure’. Have you discovered a security flaw in one-conference.nl? Weak points can be discovered in two ways: you can accidently come upon something during the normal use of a digital environment, or you can explicitly do your best to find them. Please notify us before informing the outside world, so that we can first take action as quickly as possible. We always take your report seriously and scrutinize any suspicion of a vulnerability. We are happy to work with you to make the safety of this website even better. This is not an invitation to extensively scan and test this website to find weak points. We do that ourselves. What to do:

  • Mail your findings as soon as possible to info[@]one-conference.nl
  • Provide sufficient information so that we can reproduce the problem in order to solve it quickly. Usually the IP address or the URL and a description of the vulnerability are sufficient. More information may be required for more complex vulnerabilities.
  • Do no test in advance that makes use of attacks on physical security, social engineering or third-party applications.
  • Do not use brute force or denial of service
  • Do not abuse the vulnerability by changing or removing data or by placing malware.
  • Do not share the problem with others until we have solved it.
  • Do not copy any data from our systems, other than absolutely necessary to demonstrate the leak.
  • Provide us with contact details (e-mail address and preferably telephone number) so that we can contact you to work together on a safe result.

 

What we promise:

  • We will respond to your report within three working days, with our evaluation of the report and, if possible, an expected resolution date.
  • When you report the weak point, check that you comply with the conditions described above. If you do so, we will not attach any legal consequences to your notification.
  • We will handle your report confidentially, and will not share your personal information with third parties without your permission. An exception to this is the police and judiciary in the event of prosecution or if information is demanded.
  • We will keep you informed of our progress to resolve the problem.